From 608304c3de19f0da5139ab98fc73497d5d4c0de2 Mon Sep 17 00:00:00 2001 From: Joakim Persson Date: Wed, 27 May 2026 15:02:24 +0000 Subject: [PATCH] Bump opencode 1.15.10 -> 1.15.11 + cut v1.15.11 First release on opencode 1.15.11. Also ships the four devbox-side fixes accumulated since v1.15.10: - 668592d Base: SSH ControlMaster default on a writable socket path - 73a7f96 Base: gitleaks added; git-crypt confirmed installed - 3cbcb44 CI: fix resolve-versions to use curl+jq instead of npm view - f7c3409 CI: preventative fix for PI_VERSION/OMOS_VERSION cache-hit regression Downstream pi-devbox inherits all of these on its next build against base-latest. Upstream release notes: https://github.com/anomalyco/opencode/releases/tag/v1.15.11 --- CHANGELOG.md | 22 ++++++++++++++++++++++ Dockerfile.variant | 2 +- 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f1eaf52..d445660 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,26 @@ Tags follow `v{opencode_version}[letter]` — bare tag for the first build on a ## Unreleased +_(no changes since v1.15.11)_ + +--- + +## v1.15.11 — 2026-05-27 + +First release on opencode 1.15.11. Also bakes in four devbox-side fixes accumulated since v1.15.10 (SSH ControlMaster on a writable path, gitleaks added to base, CI resolve-versions hardening, CI cache-hit regression fix). Downstream pi-devbox inherits all of these on its next build against `base-latest`. + +### Bumped: opencode 1.15.10 → 1.15.11 + +`OPENCODE_VERSION` ARG bumped in `Dockerfile.variant`. Highlights from the upstream release (full notes: ): + +- **Core / Improvements** — new `headerTimeout` config for provider requests (10s default for default OpenAI setups); experimental background agents now push updates without polling; remote-backed projects resolve a stable project identity; `modalities.input` / `modalities.output` can be set independently. +- **Core / Bugfixes** — dynamically added MCP servers now disconnect cleanly on removal; Google tool calling fixed after upstream tool-ID regression; resumed sessions no longer continue orphaned interrupted tools; OpenAI reasoning summaries render as separate blocks; the `shell` tool now advertises its configured timeout to the model; config loading falls back cleanly when user info is unavailable. +- **TUI** — prompt resizes with terminal width (new prompt-size config); accelerated diff-viewer scrolling; external editors open from the worktree directory when available. +- **Desktop** — refined v2 home screen, prompt, status popover, and session controls; fixed V2 titlebar errors when a session sync cache was deleted; web deployments no longer run desktop health checks; duplicate server connections are merged. +- **Extensions** — new `dispose` hook for plugins; Codex plugin now sends the expected session-ID header. + +No `opencode-devbox`-side changes were required to consume 1.15.11 — pure version bump. + ### Base: SSH ControlMaster default on a writable socket path Devboxes typically mount `~/.ssh` from the host as **read-only** (security: keys remain readable but agents can't tamper with config / known_hosts / authorized_keys / plant a malicious ProxyCommand). OpenSSH's default `ControlPath` lands inside `~/.ssh/cm/`, which is unwritable on such mounts — so any attempt to use `ControlMaster auto` (or anything that wants to multiplex) fails with: @@ -26,6 +46,8 @@ The second line is downstream: when ControlMaster fails the ssh client falls bac Downstream pi-devbox and any other variant inherits this on its next build against `base-latest`. Discovered while running a recon-shell from inside pi-devbox to a Proxmox node — fresh ssh hit banner timeout, debug output pointed at the read-only socket dir. +_(Originally landed on `main` 2026-05-24 as commit `668592d`; first ships in v1.15.11.)_ + ### Base: gitleaks added; git-crypt confirmed already installed `gitleaks` is now baked into `Dockerfile.base` (Go-compiled binary fetched from GitHub releases, same `/releases/latest` redirect-resolution pattern as gosu/fzf/git-lfs/etc.). It pairs with `git-crypt`, which has been installed via apt all along but wasn't asserted by smoke or called out in user-facing docs. Several of the user's repos use both as part of their secret-management setup (gitleaks pre-commit hook + git-crypt for selectively-encrypted canonical config); having them in the devbox means `pi install`-style hooks fire correctly inside the container instead of warning that gitleaks is missing. diff --git a/Dockerfile.variant b/Dockerfile.variant index 9d6c47a..1c4e213 100644 --- a/Dockerfile.variant +++ b/Dockerfile.variant @@ -36,7 +36,7 @@ ARG USER_NAME=developer # edit, so the cache-hit class of bug that bit pi-devbox v0.74.0.. # v0.75.5 cannot apply here. ARG INSTALL_OPENCODE=true -ARG OPENCODE_VERSION=1.15.10 +ARG OPENCODE_VERSION=1.15.11 RUN if [ "${INSTALL_OPENCODE}" = "true" ]; then \ NPM_CONFIG_PREFIX=/usr npm install -g opencode-ai@${OPENCODE_VERSION} && \ opencode --version ; \